1. Research Background
The company happens to need to configure a local private Docker repository, and at the same time provide the Cache function to proxy DockerHub
Nexus 3 not only integrates warehouse functions such as maven and npm, but also supports Docker
Through experiments, it is found that Nexus 3 can basically meet the needs, except for the poor image management ability (not as intuitive as Harbor)
2. Deployment steps
2.1 Deployment Environment
Operating System: CentOS 7 64
Java: 1.8.0_171 (Nexus running depends on jdk environment)
2.2 Install Nexus 3
Installation is relatively simple, just download and unzip
Download address: https://www.sonatype.com/download-oss-sonatype nexus-3.10.0-04-unix.tar.gz
Unzip it to the /opt directory (you can change the directory yourself...and talk nonsense again)
# tar zxvf nexus-3.10.0-04-unix.tar.gz -C /opt
2.3 Configure the certificate (self-signed)
By default, nexus does not enable https, but docker is enabled. In order to unify, you need to configure https certificate
Here, we use keytool to achieve
Step 1: Generate the authentication file that the server needs to configure
Replace the IP address with the IP address of your machine (for convenience, I have configured both the domain name and IP here)
Running the script will generate a keystore.jks in the current directory
#!/bin/bash NEXUS_DOMAIN=192.168.12.129 NEXUS_IP_ADDRESS=192.168.12.129 PASSWD=Nexus123 keytool -genkeypair -keystore keystore.jks -storepass ${PASSWD} -keypass ${PASSWD} -alias nexus -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=${NEXUS_DOMAIN}, OU=Nexus, O=Nexus, L=Beijing, ST=Beijing, C=CN" -ext "SAN=IP:${NEXUS_IP_ADDRESS}" -ext "BC=ca:true"
Put keystore.jks in the nexus ssl directory, in fact, it's okay to leave it alone, it is easy to manage
# cp keystore.jks /opt/nexus-3.10.0-04/etc/ssl/
Step 2: Generate the certificate required by the client
In the directory where keystore.jks is located, execute the following command (the password should be the same as above):
# keytool -export -alias nexus -keystore keystore.jks -file keystore.cer -storepass Nexus123The keystore.cer file will be generated in the current folder (this will be imported into the client machine later)
Step 3: Configure Nexus to use certificates and enable https
# cp /opt/nexus-3.10.0-04/etc/nexus-default.properties /opt/nexus-3.10.0-04/etc/nexus-default.properties.bak # vim /opt/nexus-3.10.0-04/etc/nexus-default.properties
## DO NOT EDIT - CUSTOMIZATIONS BELONG IN $data-dir/etc/nexus.properties ## # Jetty section application-port-ssl=8443 application-port=8081 application-host=0.0.0.0 nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-http-redirect-to-https.xml nexus-context-path=/ # Nexus section nexus-edition=nexus-pro-edition nexus-features=\ nexus-pro-feature
Then, configure /opt/nexus-3.10.0-04/etc/jetty/jetty-https.xml
# vim /opt/nexus-3.10.0-04/etc/jetty/jetty-https.xml
<Set name="KeyStorePath">/opt/nexus-3.10.0-04/etc/ssl/keystore.jks</Set> <Set name="KeyStorePassword">Nexus123</Set> <Set name="KeyManagerPassword">Nexus123</Set> <Set name="TrustStorePath">/opt/nexus-3.10.0-04/etc/ssl/keystore.jks</Set> <Set name="TrustStorePassword">Nexus123</Set>
Step Four: Start the Nexus
# /opt/nexus-3.10.0-04/bin/nexus start
The startup log can be viewed here: /opt/sonatype-work/nexus3/log/nexus.log
Let's go directly to the browser to see it! (admin/admin123)
It is indeed https, but it is not trusted because we are self-signed
Step 5: We experiment and import the certificate into the browser
Import the keystore.cer file generated in the second step into the browser
Google Chrome: Settings - Advanced - Manage Certificates
Click Import, select our certificate file, and execute the import in turn.
Restart Chrome, revisit https://192.168.12.129:8443 (Nexus address),
It is found that it is not safe to suggest that it is not safe, success!
2.4 Configure Docker Registry (private repository)
Repository - Repositories - Create repository - 选择 docker(hosted)
Fill in a name (such as docker-local)
Check HTTPS, fill in a port (such as 7709), check "Enable Docker V1 API", others are default
Click Create repository to create a repository
2.5 Configuring Docker Mirror (Mirror Agent)
Repository - Repositories - Create repository - 选择 docker(proxy)
Fill in a name (such as docker-hub)
Check HTTPS, fill in a port (such as 7719)
Uncheck Force basic authentication and check "Enable Docker V1 API"
Fill in Remote storage: I wrote my own DaoCloud address here, http://cfdd5a36.m.daocloud.io
Docker Index select "Use Docker Hub", others are default
Click Create repository to create a repository
2.6 Configure Realms (this step was not configured before, it took a lot of time)
Security - Realms, activate Docker Realm
2.7 Client Import Certificate
Before, we only tried to import the certificate in the browser, in order to allow the Docker client to communicate with the warehouse normally,
Requires client to import certificate
Taking Centos 7 as an example, importing a certificate is divided into two steps (for the steps of importing a certificate in Ubuntu, please go to the appendix at the end of this article)
Step 1: Copy keystore.cer to /etc/pki/ca-trust/source/anchors directory
Step 2: Update the certificate information and execute # update-ca-trust extract
2.8 Configure Docker Daemon and use Mirror
Edit /lib/systemd/system/docker.service
Append the parameter --registry-mirror=https://192.168.12.129:7719 after ExecStart=/usr/bin/dockerd
Restart the Docker service
# systemctl daemon-reload # systemctl restart docker
2.9 Verify that Docker can communicate with the Nexus Docker repository normally
Log in to the private repository, username and password (admin/admin123)
# docker login 192.168.12.129:7709
Push images to private repositories
# docker tag ubuntu:12.04 192.168.12.129:7709/library/ubuntu:12.04 # docker push 192.168.12.129:7709/library/ubuntu:12.04
Pull mirroring (via Mirror)
# docker pull ubuntu:13.04
2.10 Finally, let's see if there are any mirror images we have operated in the warehouse
At this point, the tutorial is over, the configuration is successful, and go home for dinner!
=====
Additional notes on importing certificates for Ubuntu 16.04 :
* Under the Ubuntu system, the generally imported certificate format is crt, so you need to export the certificate file in this format first
# keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 # openssl pkcs12 -in keystore.p12 -nokeys -out keystore.crt
* Import the exported keystore.crt into the Ubuntu system
# mkdir /usr/share/ca-certificates/extra # cp keystore.crt /usr/share/ca-certificates/extra # dpkg-reconfigure ca-certificates
OK, you can (if it still prompts that you don't trust it, restarting the client machine can usually solve it)
To set the Nexus to start automatically on boot:
(Note to modify the jdk and nexus paths to the paths you actually use)
# vim /lib/systemd/system/nexus.service
[Unit] Description=nexus After=network.target [Service] Type=forking Environment="JAVA_HOME=/opt/jdk1.8.0_171" ExecStart=/opt/nexus-3.10.0-04/bin/nexus start ExecReload=/opt/nexus-3.10.0-04/bin/nexus restart ExecStop=/opt/nexus-3.10.0-04/bin/nexus stop PrivateTmp=true [Install] WantedBy=multi-user.target
# systemctl enable nexus.service # systemctl start nexus.service